Published: Fri 27 February 2026
Prepared by: Adam Skupien, Vulnerability Security Analyst
Purpose
Malicious threat actors are actively exploiting Cisco Catalyst SD-WAN deployments globally via CVE-2026-20127. The observed intrusion chain includes adding a rogue peer into the SD-WAN management/control plane and then progressing to root access to establish persistence.
Compromise assessment is required (not just patching). Cisco Talos and the Five Eyes co-sealed hunt guide indicate this activity has likely been occurring since at least 2023, so organisations should hunt retrospectively as far back as 2023 or as far as telemetry allows.
Vulnerability details
- CVE-2026-20127 (Critical / CVSS 10.0): Authentication bypass affecting Cisco Catalyst SD-WAN Controller (vSmart) and Cisco Catalyst SD-WAN Manager (vManage). Exploitation enables unauthenticated attackers to gain administrative access (reported as an internal high-privileged, non-root context) and leverage SD-WAN management capabilities (e.g., NETCONF) to manipulate fabric configuration.
- Observed post-exploitation tradecraft: Following initial access, threat actors have been observed to escalate to root by downgrading to a vulnerable version and exploiting CVE-2022-20775, then restoring versions to reduce visibility.
- Additional vulnerabilities patched alongside CVE-2026-20127: Cisco (and ACSC) also reference additional Cisco Catalyst SD-WAN Manager vulnerabilities (CVE-2026-20122, CVE-2026-20126, CVE-2026-20128, CVE-2026-20129, CVE-2026-20133) that should be remediated during the same patch cycle. While this bulletin focuses on the actively exploited CVE-2026-20127, organisations should apply all relevant vendor fixes per Cisco’s advisories and ACSC guidance.
Impact
If exploited, affected organisations may experience:
- Unauthorised administrative control of SD-WAN control/management components (Controller/Manager).
- Insertion of an actor-controlled “rogue peer” that is treated as trusted inside the SD-WAN management/control plane.
- Privilege escalation to root and persistence, enabling sustained access to SD-WAN components.
- Unauthorised changes to SD-WAN fabric configuration and operations (management/control plane actions), which may lead to loss of integrity and availability of network connectivity (e.g., policy/routing changes, disruption).
- Reduced visibility and hindered forensics due to potential defence-evasion activity (e.g., log tampering/clearing).
Mitigation actions
1) Immediate containment and exposure reduction
- Identify and eliminate internet exposure of SD-WAN management/control interfaces; restrict access to legitimate admin sources only (e.g., jump boxes / trusted subnets).
- Place SD-WAN control components behind firewalls and apply network perimeter controls (allow-list trusted sources; avoid direct access from untrusted networks).
- Cisco states there are no workarounds that address CVE-2026-20127; however, for on-prem deployments Cisco recommends restricting traffic to port 22 (SSH) and port 830 (NETCONF) to known controller IPs and other known IPs using ACLs/security groups/firewall rules.
- For Cisco Hosted SD-WAN Cloud variants, Cisco notes “guardrails are in place” (including FedRAMP and Cisco-managed offerings).
2) Patch and harden (primary remediation)
- Collect artefacts (virtual snapshots and logs) from SD-WAN technology.
- Review Cisco’s advisories and fully patch SD-WAN technology, including CVE-2026-20127, and remediate associated SD-WAN Manager issues in the same patch cycle (CVE-2026-20122, CVE-2026-20126, CVE-2026-20128, CVE-2026-20129, CVE-2026-20133).
- Hunt for evidence of compromise as detailed in the Hunt Guide (treat as a required step given potential multi-year activity).
- Implement Cisco hardening guidance, including session timeout minimisation and forwarding logs to remote syslog/SIEM.
- Upgrade to the first fixed release for your train as per Cisco’s CVE-2026-20127 advisory (some trains are End of Software Maintenance and require moving to a supported release).
3) Logging and evidence protection (do this before/while patching)
- Ensure logs are centralised off the device (SIEM/remote syslog) and retained long enough for retrospective analysis, to reduce the impact of potential on-host log tampering/clearing.
Detection capabilities
Retrospective hunting scope (priority)
- Hunt back to at least 2023 (or earliest available logs), as threat intelligence telemetry indicates activity dating back that far.
High-confidence behaviours to hunt for
- Rogue/abnormal peering events: Review control connection state changes and validate timestamps, source public IPs, peer system IPs, and peer types against known topology and authorised ranges.
- Unexpected application downgrade / reversion and reboot patterns: The Hunt Guide includes detections for downgrades that often precede privilege escalation, including indicative artefacts and log paths (e.g., vdebug, sw_script_synccdb.log).
- Suspicious management-plane access paths: Look for evidence of NETCONF (port 830) and SSH being used to traverse within the management plane outside expected admin activity.
- Persistence indicators: New/temporary accounts, unexpected SSH authorised keys (root and/or vmanage-admin), and configuration changes that enable root SSH access.
- Defence evasion: Missing/abnormally small logs, cleared /var/log, cleared shell histories, vManage log deletion activity, and signs that external logging was disrupted (e.g., syslog forwarding prevented).
MDR customers: Triskele Labs is tuning detections for behaviour consistent with exploitation of Cisco Catalyst SD-WAN (CVE-2026-20127) across supported log sources. Patching is important, but customers are strongly encouraged to perform retrospective hunting/compromise assessment given indications of long-running activity.
Vulnerability Management customers: Environments are being assessed for vulnerable Cisco Catalyst SD-WAN versions; any exposure will be communicated through priority channels.
References
